The message is increasingly common: “Information security is a critical consideration.” But this time the cyber-security warning wasn't handed down by a regulator – it was the Securities and Exchange Commission being scolded for its own security gaps and lapses.

Without proper safeguards, including those required by the Federal Information Security Management Act and National Institute of Standards and Technology, the SEC's systems are vulnerable to hackers looking to those with malicious intent who want to obtain or manipulate sensitive information, commit fraud, disrupt operations, or launch attacks against others, a report issued by the Government Accountability Office says.  

To process and track financial transactions – such as filing fees paid by corporations, penalties from enforcement activities, and for financial reporting – the SEC relies on computerized systems linked by local and wide-area networks and numerous enterprise-grade software applications. Although the GAO report found the agency has made steady progress strengthening information security controls, “weaknesses limited their effectiveness in protecting the confidentiality, integrity, and availability of a key financial system.”

Weaknesses uncovered within the unidentified system's network, servers, applications, and databases included:

The SEC did not consistently protect against possible intrusions by appropriately identifying and authenticating users; encrypting sensitive data; auditing and monitoring actions taken on the commission's networks and databases; and restricting physical access to sensitive assets.

Although the SEC is finalizing rules that would mandate contingency and disaster recovery planning for public companies, its own contingency plans did not ensure provide redundancy for a critical server.

It did not securely configure a new data center, nor or did it consistently apply software patches intended to fix vulnerabilities to servers and databases in a timely manner.

The SEC did not adequately segregate its development and production computing environments. Development user accounts were active on the system's production servers.

Although SEC policy requires strong passwords for authenticating users to certain servers, network devices, and databases in the key financial system's environment, oversight was lacking. The password length on a network management device and a server contained fewer characters than required; passwords on another server were configured to never expire; and two databases had a password with the same name as the user account.

“Until the SEC mitigates control deficiencies and strengthens the implementation of its security program, its financial information and systems may be exposed to unauthorized disclosure, modification, use, and disruption,” the GAO warns. These weaknesses, considered collectively, contributed to its determination that SEC had “a significant deficiency in its internal controls.”

Among the report's recommendations: SEC Chairman Mary Jo White should direct her staff to: assign information security personnel to monitor and evaluate contractor performance in implementing information security controls in its information technology projects; implement a risk management process to ensure that similar contract oversight weakness are not widespread that includes identifying risks, performing security impact analyses; and mitigating identified risks as appropriate.

In a separate report with limited distribution due to security concerns, the GAO will provide a more in-depth list of recommendations and corrective actions needed to correct specific information security weaknesses and improve contingency and disaster recovery plans.